Open swaldmann opened 3 months ago
this parameter "--production" is still used by Node v14 .
Node 14 (and 16) are already end-of-life though. They shouldn't be used any more, as they won't even get patched. IMO you should drop support for them, as in the worst case this enables stakeholders using those outdated versions.
Even if Node 14 support has to be kept for some reason there should be a conditional to use the --omit=dev
version for later Node versions. We really shouldn't show warnings for standard projects using a current LTS version just to accommodate to some version deprecated for years.
Even if Node 14 support has to be kept for some reason there should be a conditional to use the
--omit=dev
version for later Node versions. We really shouldn't show warnings for standard projects using a current LTS version just to accommodate to some version deprecated for years.
If you expect that repo to follow the most basic best current security practices or even SAP security policies, you will face disillusionment :) I've tried to push a bunch of security compliance PRs a year ago, most of them have been merged/taken over.
Dunno why such a critical piece in the SAP software supply chain can be left with known critical CVEs such as https://security-tracker.debian.org/tracker/CVE-2024-2961 several months ... or years.
Description
This PR replaces all occurrences of
--production
in annpm
context with--omit=dev
.Currently you get these warnings when deploying MTA projects with the standard
npm
builder: "npm warn config production Use--omit=dev
instead"The
omit
option was introduced withnpm
8, so it's available in all supported versions.Checklist